Court Enforces $4.8M in Insurance Coverage for Email Scam

The legal landscape for insurance coverage for business email scams remains unsettled, but a recent decision from a Manhattan judge ordering an insurer to cover $4.8 million in losses for a company that fell victim to a “spoofing” scam may give plaintiffs a new weapon in coverage disputes.

Southern District Judge Andrew Carter Jr. granted summary judgment for Medidata, which sued Federal Insurance Co., a subsidiary of insurance giant Chubb Ltd., saying the losses the company suffered when an imposter tricked its accounts payable department into wiring money are covered by computer fraud provisions in its insurance policy.
Carter said that, under Federal’s interpretation of case law, coverage for computer fraud would require a thief to hack into a company’s computer system and initiate a bank transfer.

“But hacking is one of many methods that a thief can use and is an everyday term for unauthorized access to a computer system,” the judge wrote.

Medidata provides cloud-based computing services for scientists conducting clinical trials.
In 2014, the Medidata employee responsible for travel and entertainment expenses received an email in which the sender, claiming to be the company’s president, said that an attorney named Michael Meyer would contact her about the company’s effort to finalize an acquisition.

A man holding himself out to be Meyer contacted the employee and said he would need an immediate wire transfer.
After the employee said she would need to clear the transaction with Medidata’s vice president and director of revenue, all three employees received a group email from someone claiming to be Medidata’s president requesting the funds transfer. They complied and wired almost $4.8 million to an account in China that Meyer provided.

After the supposed attorney asked for a second transfer, however, the vice president became suspicious and the president was contacted in a separate email. After the president said he did not request either of the wire transfers, the company contacted the FBI.

According to court papers, the identities of the scammers were never revealed and Medidata’s money was never recovered. Medidata had a $5 million policy with Federal containing a section that covers computer fraud, but the insurer denied Medidata’s claim, saying there was no fraudulent entry of data into the company’s computer system.
But Carter said that Federal is relying on an overbroad reading of the New York Court of Appeals’ 2015 decision in Universal American v. National Union Fire Insurance , 25 NY3d 675, in which the court said fraud achieved through a violation of a computer system “deceitful and dishonest access” should be covered.

Carter’s decision comes at a time when courts around the country remain at odds over whether or not insurance claims should cover the types of attacks that befell Medidata, which are becoming more prevalent.

The legal landscape for insurance coverage for business email scams remains unsettled, but a recent decision from a Manhattan judge ordering an insurer to cover $4.8 million in losses for a company that fell victim to a “spoofing” scam may give plaintiffs a new weapon in coverage disputes.